Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

This is the sixth post in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess file and Project Honey Pot to help reduce spam traffic hitting your website. 

The Blue Plate WAF is for small websites on basic hosting plans that lack access to more sophisticated web security tools.  These basic plans are often used to host content management systems such as WordPress, Joomla, Drupal, or Typo3 which are ideal for small organizational websites.

Malicious bots continuously scan the internet to locate login screens or vulnerabilities for content management system (CMS) applications.  Once a bot identifies an admin page, directory, or CMS vulnerability, the location of that artifact is passed back to the bot’s command and control (C&C) infrastructure.  These locations are then targeted later to compromise the identified vulnerability or conduct other attacks such as password spray, dictionary, or bruit force to gain access to the content management system. 

The vulnerabilities, file locations, and file names of content management systems are well known and attempts to exploit them can be identified by Apache using .htaccess.  After identifying an access attempt using the .htaccess file, the ID'd traffic can be passed to Project Honey Pot.  This increases the intelligence of your honeypot and leads to proactive blocking of malicious bots that may attempt other attack techniques on your website.  

How To Send Content Management Administrator Console Access Attempts To Your Honeypot Using .htaccess

We will start with the previous .htaccess file we created in the previous blog.  The new code we create uses the framework introduced in previous blog posts to send suspicious traffic to our honeypot webpage using the Project Honey Pot system. 

The code below uses the RewriteRule command to virtually point common content management console admin directories directly to your honey pot.  Only site administrators should be accessing these directories and it is a common practice to rename out-of-the-box admin directories to a non-standard name.   The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Attempts to Access Content Management Admin Directories -- START

RewriteRule (?:^|/)wp-admin/(.*) /honeypot.php/ [NC,L] #Wordpress

RewriteRule (?:^|/)wp-admin(.*) /honeypot.php/[NC,L] #Wordpress

RewriteRule (?:^|/)administrator(.*) /honeypot.php/ [NC,L] #Joomla

RewriteRule (?:^|/)administrator/(.*) /honeypot.php/ [NC,L] #Joomla

##### Redirect Attempts to Access Content Management Admin Directories -- END

 

 

How To Send Content Management Core Application Access Attempts To Your Honeypot Using .htaccess

Directories that contain core application files should not be accessed by external users and we have observed malicious bots targeting such directories. The same RewriteRule technique used on administrative directories can be used to virtually point requests to core application directories to your honey pot. 

Core application file directories are used only by the content management system itself and should only be modified during an official application update.  The following links have additional details on popular content management application directory structures:

The code below uses the RewriteRule command to virtually point common content management core application directories directly to your honey pot.  The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Attempts to Access Content Management Core Application Code Directories -- START

RewriteRule (?:^|/)wp-includes/(.*) /honeypot.php/ [NC,L] #WordPress directory to store core application files

RewriteRule (?:^|/)wp-includes(.*) /honeypot.php/ [NC,L] #WordPress directory to store core application files

RewriteRule (?:^|/)includes/(.*) /honeypot.php/ [NC,L] #Joomla directory to store core application files

RewriteRule (?:^|/)includes(.*) /honeypot.php/ [NC,L] #Joomla directory to store core application files

RewriteRule (?:^|/)core/(.*) /honeypot.php/ [NC,L] #Drupal 8 directory to store core application files

RewriteRule (?:^|/)core(.*) /honeypot.php/ [NC,L] #Drupal 8 directory to store core application files

RewriteRule (?:^|/)typo3/(.*) /honeypot.php/ [NC,L] #Typo3 directory to store core application files

RewriteRule (?:^|/)typo3(.*) /honeypot.php/ [NC,L] #Typo3 directory to store core application files

##### Redirect Attempts to Access Content Management Core Application Code Directories -- END

 

 

How To Send Unused Content Management User Content Directories and Log-In Directories To Your Honeypot Using .htaccess

Add an additional layer of detection to your honeypot by sending requests to access specific content management system (CMS) user content and CMS log-in directories for CMS systems that are not installed on your server to your honey pot

These RewriteRules should only be used when the specified CMS system is not installed on your server.  Using these RewriteRules when the CMS is installed on your server will cause some content to be inaccessible by legitimate users.

The code below uses the RewriteRule command to virtually point unused content management directories directly to your honey pot.  The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

  

##### Redirect Attempts to Access Unused Content Management System Related Directories -- START

RewriteRule (?:^|/)wp-content/(.*) /honeypot.php/ [NC,L] #Wordpress CMS user content

RewriteRule (?:^|/)wp-content(.*) /honeypot.php/ [NC,L] #Wordpress CMS user content

RewriteRule (?:^|/)wp-login/(.*) /honeypot.php/ [NC,L] #Wordpress CMS log-in directory

RewriteRule (?:^|/)wp-login(.*) /honeypot.php/ [NC,L] #Wordpress CMS log-in directory

RewriteRule (?:^|/)wordpress/(.*) /honeypot.php/ [NC,L] #Wordpress CMS home directory

RewriteRule (?:^|/)wordpress(.*) /honeypot.php/ [NC,L] #Wordpress  CMS home directory

RewriteRule (?:^|/)wp-json/(.*) /honeypot.php/ [NC,L] #Wordpress CMS APIs directory

RewriteRule (?:^|/)wp-json(.*) /honeypot.php/ [NC,L] #Wordpress CMS APIs directory

RewriteRule (?:^|/)wp/(.*) /honeypot.php/ [NC,L] #Wordpress  CMS home directory

##### Redirect Attempts to Access Unused Content Management System Related Directories -- END 

 

 

How To Send Content Management Core Application and Admin File Access Attempts To Your Honeypot Using .htaccess

Core application and admin files should not be accessed by external users and we have observed malicious bots targeting these specific files. The same RewriteRule technique can be used to virtually point core and admin file requests to your honey pot.   

The following links have additional details on popular content management application core application and admin files:

The code below uses the RewriteRule command to virtually point core and admin file requests directly to your honey pot.  The [NC] switch is used to indicate that the directory string is not case sensitive. The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Attempts to Access Content Management Configuration and Admin Specific Files -- START

RewriteRule (?:^|/)admin-ajax\.php /honeypot.php/ [NC,L] #WordPress AJAX UI admin console file

RewriteRule (?:^|/)wp-config\.php /honeypot.php/ [NC,L] #WordPress configuration file

RewriteRule (?:^|/)configuration\.php /honeypot.php/ [NC,L] #Joomla configuration file

RewriteRule (?:^|/)settings\.php /honeypot.php/ [NC,L] #Drupal configuration file

RewriteRule (?:^|/)default\.settings\.php /honeypot.php/ [NC,L] #Drupal configuration file

RewriteRule (?:^|/)LocalConfiguration\.php /honeypot.php/ [NC,L] #Typo3 configuration file

RewriteRule (?:^|/)AdditionalConfiguration\.php /honeypot.php/ [NC,L] #Typo3 configuration file

##### Redirect Attempts to Access Content Management Configuration and Admin Specific Files -- END

 

 

How To Use RewriteCond To detect CMS Vulnerability Exploitation Attempts and Send Malicious Traffic To Your Honeypot

The code below uses the RewriteCond command to scan the HTTP_USER_AGENT variable for specific commands that have been injected into HTTP_USER_AGENT and are related to known vulnerabilities

The [NC] switch in the code below is used with RewriteCond to indicate that the string is not case sensitive.  If a string match is detected, the command RewriteRule is used to direct the suspicious traffic to the honeypot.  The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

Joomla vulnerability CVE-2015-8562

 

 

##### Block Joomla vulnerabilities in user-agent  -- START

RewriteCond %{HTTP_USER_AGENT} "JDatabaseDriverMysqli" [NC,OR]

RewriteCond %{HTTP_USER_AGENT} "JSIMPLEPIEFACTORY" [NC]

RewriteCond %{REQUEST_URI} !honeypot.php 

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

##### Block Joomla vulnerabilities in user-agent -- END

 

 

The code below uses the RewriteCond command to scan the X-FORWARDED-FOR variable for specific commands that have been injected into X-FORWARDED-FOR and are related to known vulnerabilities

 

Joomla vulnerability CVE-2015-8566

 

 

##### Block Joomla vulnerabilities in HTTP:X-FORWARDED-FOR  -- START

RewriteCond %{HTTP:X-FORWARDED-FOR} "JDatabaseDriverMysqli" [NC,OR]

RewriteCond %{HTTP:X-FORWARDED-FOR} "JSIMPLEPIEFACTORY" [NC]

RewriteCond %{REQUEST_URI} !honeypot.php

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

##### Block Joomla vulnerabilities in HTTP:X-FORWARDED-FOR  -- END

 

 

The working file is available for download here.  We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

Geo Blocking Russia, Iran, North Korea

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

This is the seventh editorial in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess configuration file and Project Honey Pot.  The goal of this blog series is to reduce the volume of spam or malicious internet traffic visiting small and medium size websites. 

The Blue Plate WAF is an experimental cybersecurity tool for small websites on basic web hosting plans that lack access to more sophisticated web security tools.  Basic web hosting plans often host content management systems (CMS) such as WordPress, Joomla, Drupal, or Typo3 for small organizations.

This blog edition focuses on redirecting traffic originating from specific countries without using the traffic's IP address to trigger the redirect.  Determining the originating country of an IP address requires a subscription service because IP address block assignments are continuously updated.  IP address geo blocking subscriptions and geo block tools can be costly or too complex for a small website and we will focus on alternative options. 

 

Built on the Blue Plate WAF Framework

We will start with the experimental .htaccess file we created in the previous Detect Content Management System (CMS) Hacking Attempts blog. The new code we create will be built on to of all the previous blog posts.

New Framework Use Case, Countries Involved in Conflicts or U.S. Sanctions

The new code will based on a use case where the website owner wants to limit website traffic from U.S. Treasury sanctioned countries and countries involved conflicts.  The use case website does not conduct business in any of these regions, countries, or languages and seeks to limit any spillover from cyber warfare originating in the specific conflict zones. The countries included in this use case are:

  • Russian Collective Security Treaty Organization (CSTO)
    • Russia
    • Armenia
    • Belarus
    • Kazakhstan
    • Tajikistan
  • Serbia
  • Cuba
  • Venezuela
  • North Korea
  • Iran
  • Syria
  • Yemen 
New Framework Enhancements, Configuration Directives for Non-IP Based Geo Blocking 

We will explore how to use the following Apache variables and configuration directives to detect and filter country specific traffic.

  • REMOTE_HOST
    • Resolve for country code top level domains (ccTLD)s
  • HTTP:Accept-Language
    • Detect country specific languages
  • HTTP:X-Forwarded-Host
    • Resolve for original host country code top level domains when host is proxied
  • HTTP_REFERER
    • Resolve for referring country code top level domains
  • USER_AGENT
    • Detect country specific web browsers
    • Detect country specific mobile phone hardware
    • Detect country specific bots
  • HTTP:From
    • Detect bot email addresses from country code top level domains
  • SSL:SSL_CLIENT_I_DN_O
    • Detect a connecting client’s Certificate Authority (I) Distinguished Name (DN) Organization (O) record
 

Remote Host Detection to Send Users from Specific Countries to Your Honeypot

Remote host detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The REMOTE_HOST attribute is populated by Apache with the fully qualified domain name (FQDN) of the remote user.  In the event Apache can't resolve the FQDN, it returns the value of REMOTE_ADDR (users IP Address).

The code below reads the REMOTE_HOST variable using the RewriteCond command. If a resolved remote host match is detected, the RewriteRule command virtually directs the user to your honey pot. 

To determine the originating country of the traffic, RewriteCond is looking to see if the users FQDN resolves to a top-level country domain related to the countries that the website owner would like to limit.

 

 

##### Start -- Redirect Geo Conflict Hotspots by Remote Host to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{REMOTE_HOST} \.ru$ [NC,OR] #Russia 

RewriteCond %{REMOTE_HOST} \.am$ [NC,OR] #Armenia

RewriteCond %{REMOTE_HOST} \.by$ [NC,OR] #Belarus 

RewriteCond %{REMOTE_HOST} \.kz$ [NC,OR] #Kazakhstan

RewriteCond %{REMOTE_HOST} \.kg$ [NC,OR] #Kyrgyzstan

RewriteCond %{REMOTE_HOST} \.tj$ [NC,OR] #Tajikistan

RewriteCond %{REMOTE_HOST} \.rs$ [NC,OR] #Serbia

RewriteCond %{REMOTE_HOST} \.cu$ [NC,OR] #Cuba

RewriteCond %{REMOTE_HOST} \.ve$ [NC,OR] #Venezuela

RewriteCond %{REMOTE_HOST} \.kp$ [NC,OR] #North Korea

RewriteCond %{REMOTE_HOST} \.ir$ [NC,OR] #Iran 

RewriteCond %{REMOTE_HOST} \.sy$ [NC,OR] #Syria

RewriteCond %{REMOTE_HOST} \.ye$ [NC] #Yemen

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots by Remote Host to The Honeypot -- End #####

 

 

Proxied Host Detection to Send Users from Specific Countries to Your Honeypot

Forwarded host detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The HTTP:X-Forwarded-Host attribute is populated by Apache with the fully qualified domain name (FQDN) of the remote user when the user is browsing through a proxy.

The code below reads the HTTP:X-Forwarded-Host variable using the RewriteCond command. If a resolved forwarded host match is detected, the RewriteRule command virtually directs the user to your honey pot. 

To determine the originating country of the traffic, RewriteCond is looking to see if the users FQDN resolves to a top-level country domain related to the countries that the website owner would like to limit.

 

 

##### Start -- Redirect Geo Conflict Hotspots by Forwarded Host to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP:X-Forwarded-Host} \.ru$ [NC,OR] #Russia 

RewriteCond %{HTTP:X-Forwarded-Host} \.am$ [NC,OR] #Armenia

RewriteCond %{HTTP:X-Forwarded-Host} \.by$ [NC,OR] #Belarus 

RewriteCond %{HTTP:X-Forwarded-Host} \.kz$ [NC,OR] #Kazakhstan

RewriteCond %{HTTP:X-Forwarded-Host} \.kg$ [NC,OR] #Kyrgyzstan

RewriteCond %{HTTP:X-Forwarded-Host} \.tj$ [NC,OR] #Tajikistan

RewriteCond %{HTTP:X-Forwarded-Host} \.rs$ [NC,OR] #Serbia

RewriteCond %{HTTP:X-Forwarded-Host} \.cu$ [NC,OR] #Cuba

RewriteCond %{HTTP:X-Forwarded-Host} \.ve$ [NC,OR] #Venezuela

RewriteCond %{HTTP:X-Forwarded-Host} \.kp$ [NC,OR] #North Korea

RewriteCond %{HTTP:X-Forwarded-Host} \.ir$ [NC,OR] #Iran 

RewriteCond %{HTTP:X-Forwarded-Host} \.sy$ [NC,OR] #Syria

RewriteCond %{HTTP:X-Forwarded-Host} \.ye$ [NC] #Yemen

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots by Forwarded Host to The Honeypot -- End #####

 

 

Language Detection to Send Users from Specific Countries to Your Honeypot

Language detection through the .htaccess file can used as an alternative or a supplement to IP address country identification.  The HTTP:Accept-Language attribute is passed from a users web browser to identify their language and country configuration.   

The code below reads the HTTP:Accept-Language variable sent from the user's browser using the RewriteCond command. If a language match is detected, the RewriteRule command virtually directs the user to your honey pot.

The web browser HTTP:Accept-Language variable values correspond to the ISO-639 language abbreviation and the ISO-3166 country code according to the W3C standard for HTTP:Accept-Language.

 

 

##### Start -- Redirect Geo Conflict Hotspots by Language to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP:Accept-Language} ^ru [NC,OR] #Russia Russian

RewriteCond %{HTTP:Accept-Language} ^hy [NC,OR] #Armenia Armenian

RewriteCond %{HTTP:Accept-Language} ^be [NC,OR] #Belarus Belarusian

RewriteCond %{HTTP:Accept-Language} ^kk [NC,OR] #Kazakhstan Kazakh

RewriteCond %{HTTP:Accept-Language} ^ky [NC,OR] #Kyrgyzstan Kyrgyz

RewriteCond %{HTTP:Accept-Language} ^sr [NC,OR] #Serbia Serbian

RewriteCond %{HTTP:Accept-Language} ^tg [NC,OR] #Tajikistan Tajik

RewriteCond %{HTTP:Accept-Language} ^es\-cu [NC, OR] #Spanish Cuba (not sure if in use)

RewriteCond %{HTTP:Accept-Language} ^es\-ve [NC, OR] #Spanish Venezuela

RewriteCond %{HTTP:Accept-Language} ^ko\-kp [NC, OR] #North Korea (not sure if in use)

RewriteCond %{HTTP:Accept-Language} ^fa [NC, OR] #Iran Persian (Farsi)

RewriteCond %{HTTP:Accept-Language} ^ar\-sy [NC, OR] #Syria Arabic

RewriteCond %{HTTP:Accept-Language} ^ar\-ye [NC] #Yemen Arabic

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots by Language to The Honeypot -- End #####

 

 

Web Site Referral Detection to Send Users from Specific Countries to Your Honeypot

Website referral detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The HTTP_REFERER attribute is passed from a users web browser when the user clicks on a link and that link takes the user to your website.  

The code below reads the HTTP_REFERER variable sent from the user's browser using the RewriteCond command. If a country specific referral match is detected, the RewriteRule command virtually directs the user to your honey pot.

RewriteCond is looking to see if the referring website comes from a top-level country domain related to the countries that the website owner would like limit traffic from.

 

 

##### Start -- Redirect Geo Conflict Hotspots by Referral Website to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_REFERER} \.ru$ [NC,OR] #Russia 

RewriteCond %{HTTP_REFERER} \.am$ [NC,OR] #Armenia

RewriteCond %{HTTP_REFERER} \.by$ [NC,OR] #Belarus 

RewriteCond %{HTTP_REFERER} \.kz$ [NC,OR] #Kazakhstan

RewriteCond %{HTTP_REFERER} \.kg$ [NC,OR] #Kyrgyzstan

RewriteCond %{HTTP_REFERER} \.tj$ [NC,OR] #Tajikistan

RewriteCond %{HTTP_REFERER} \.rs$ [NC,OR] #Serbia

RewriteCond %{HTTP_REFERER} \.cu$ [NC,OR] #Cuba

RewriteCond %{HTTP_REFERER} \.ve$ [NC,OR] #Venezuela

RewriteCond %{HTTP_REFERER} \.kp$ [NC,OR] #North Korea

RewriteCond %{HTTP_REFERER} \.ir$ [NC,OR] #Iran 

RewriteCond %{HTTP_REFERER} \.sy$ [NC,OR] #Syria

RewriteCond %{HTTP_REFERER} \.ye$ [NC] #Yemen

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspots by Referral Website to The Honeypot -- End #####

 

 

Web Browser Version Detection to Send Users from Specific Countries to Your Honeypot

Web browser version detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The USER_AGENT attribute is passed from a users web browser when the user accesses your website and self-identifies the type and version of web browser being used.

The code below reads the USER_AGENT variable sent from the user's browser using the RewriteCond command. If a web browser version match is detected, the RewriteRule command virtually directs the user to your honey pot. 

 

 

##### Start -- Redirect Geo Conflict Hotspot Web Browsers to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} YaBrowser [NC,OR] #Russia

RewriteCond %{HTTP_USER_AGENT} Yowser [NC,OR] #Russia

RewriteCond %{HTTP_USER_AGENT} YaApp [NC,OR] #Russia

RewriteCond %{HTTP_USER_AGENT} naenara [NC] #North Korea 

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspot Web Browsers to The Honeypot -- End #####

 

 

Country Specific Mobile Phone Hardware Detection to Send Specific Users to Your Honeypot

Mobile phone hardware type detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The USER_AGENT attribute is passed from a user’s web browser when the user accesses your website and at times the USER_AGENT self-identifies the manufacturer of the mobile phone being used. 

The code below reads the USER_AGENT variable sent from the user's device browser using the RewriteCond command. If a mobile phone hardware match is detected, the RewriteRule command virtually directs the user to your honey pot. 

 

 

##### Start -- Redirect Geo Conflict Hotspot Mobile Phone Hardware to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} AYYA\sT1 [NC,OR] #Russia Ayya T1 Phone

RewriteCond %{HTTP_USER_AGENT} highscreen [NC,OR] #Russia Highscreen Phone

RewriteCond %{HTTP_USER_AGENT} teXet [NC,OR] #Russia Texet Phone

RewriteCond %{HTTP_USER_AGENT} YOTA [NC,OR] #Russia Yota Phone

RewriteCond %{HTTP_USER_AGENT} YD201 [NC,OR] #Russia Yota Phone 2

RewriteCond %{HTTP_USER_AGENT} YOTA\s3\+ [NC,OR] #Russia Yota Phone 3

RwriteCond %{HTTP_USER_AGENT} YotaDevices [NC] #Russia Yota Device

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspot Mobile Phone Hardware to The Honeypot -- End #####

 

 

Country Specific Mobile Phone Carrier Detection to Send Specific Users to Your Honeypot

Mobile phone carrier type detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The USER_AGENT attribute is passed from a user’s web browser when the user accesses your website and sometimes the USER_AGENT self-identifies the mobile carrier being used. 

The code below reads the USER_AGENT variable sent from the user's device browser using the RewriteCond command. If a mobile carrier match is detected, the RewriteRule command virtually directs the user to your honey pot. 

 

 

##### Start -- Redirect Geo Conflict Hotspot Mobile Phone Carriers to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

 RwriteCond %{HTTP_USER_AGENT} MegaFon [NC] #Russia Only Mobile Carrier

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspot Mobile Phone Carriers to The Honeypot -- End #####

 

  

Country Specific Bot Detection to Send Specific Bots to Your Honeypot

Bot detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The USER_AGENT attribute is passed from a bot to your website and is used to self-identify the type of bot accessing your website.

The code below reads the USER_AGENT variable transmitted by the bot using the RewriteCond command. If a bot match is detected, the RewriteRule command virtually directs the bot to your honey pot.

 

 

##### Start -- Redirect Geo Conflict Hotspot Bots to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} YandexBot [NC,OR] #Russia SE Bot

RewriteCond %{HTTP_USER_AGENT} YaDirectFetcher [NC,OR] #Russia SE Bot

RewriteCond %{HTTP_USER_AGENT} rambler [NC,OR] #Russia SE Bot

RewriteCond %{HTTP_USER_AGENT} Mail\.Ru [NC,OR] #Russia SE Bot

RewriteCond %{HTTP_USER_AGENT} aport [NC,OR] #Russia SE Bot

RewriteCond %{HTTP_USER_AGENT} yooz [NC,OR] #Iranian SE Bot 

RewriteCond %{HTTP_USER_AGENT} hivaBot [NC,OR] #Iranian SE Bot (yooz)

RewriteCond %{HTTP_USER_AGENT} Parsijoo [NC,OR] #Iranian SE Bot

RewriteCond %{HTTP_USER_AGENT} Rismoon [NC] #Iranian SE Bot

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspot Bots to The Honeypot -- End #####

 

  

Bot Email Address Detection to Send Users from Specific Countries to Your Honeypot

Bot email address detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The HTTP:From header attribute is passed from a bot to your website and is used to self-identify the email address of bots accessing your website.  Note that this is an older HTTP standard header but it is still in use by many bots.

The code below reads the HTTP:From header sent from the bot using the RewriteCond command. If a country specific referral match is detected, the RewriteRule command virtually directs the user to your honey pot. RewriteCond is looking to see if the bot email address contains a top-level country domain related to the countries that the website owner would like to limit traffic from.

 

 

##### Start -- Redirect Geo Conflict Hotspot Bot Email Addresses to The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP:From} \.ru$ [NC,OR] #Russia 

RewriteCond %{HTTP:From} \.am$ [NC,OR] #Armenia

RewriteCond %{HTTP:From} \.by$ [NC,OR] #Belarus 

RewriteCond %{HTTP:From} \.kz$ [NC,OR] #Kazakhstan

RewriteCond %{HTTP:From} \.kg$ [NC,OR] #Kyrgyzstan

RewriteCond %{HTTP:From} \.tj$ [NC,OR] #Tajikistan

RewriteCond %{HTTP:From} \.rs$ [NC,OR] #Serbia

RewriteCond %{HTTP:From} \.cu$ [NC,OR] #Cuba

RewriteCond %{HTTP:From} \.ve$ [NC,OR] #Venezuela

RewriteCond %{HTTP:From} \.kp$ [NC,OR] #North Korea

RewriteCond %{HTTP:From} \.ir$ [NC,OR] #Iran 

RewriteCond %{HTTP:From} \.sy$ [NC,OR] #Syria

RewriteCond %{HTTP:From} \.ye$ [NC] #Yemen

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspot Bot Email Addresses to The Honeypot -- End #####

 

  

Client Certificate Detection to Send Users Providing Country Specific Certificate Authorities to Your Honey Pot

Client certificate detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification.  The SSL:SSL_CLIENT_I_DN_O variable is retrieved by Apache when a client connects to your website using a SSL/TLS encryption certificate.  This variable identifies the organization name listed for the certificate authority (CA) in the client’s encryption certificate.

Recent news reports suggest that Russia has mandated all Russian users and products implement certificates produced by the Russian Ministry of Digital Development and Communications.  A certificate from this Russian government entity can be identified using this described method.  

The Apache directives below must be configured in your httpd.conf file for the SSL:SSL_CLIENT_I_DN_O variable to be accessible to .htaccess. You may need to check with your hosting provider to determine if this functionality is available for you

  • SSLEngine 
  • SSLOptions +StdEnvVars

The code below reads the SSL:SSL_CLIENT_I_DN_O variable in the user's client certificate using the RewriteCond command. If a country specific certificate authority organization name match is detected, the RewriteRule command virtually directs the user to your honey pot. RewriteCond is looking to see if the certificate authority's organizational name matches to an organization that the website owner would like to limit traffic from.

 

 

##### Start -- Redirect Geo Conflict Hotspot Certificate Authorities To The Honeypot -- Start #####  

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{SSL:SSL_CLIENT_I_DN_O} Russian [NC] #Russian Trusted Root CA

RewriteRule ^(.*)$ /honeypot.php/ [NC,L] 

##### End -- Redirect Geo Conflict Hotspot Certificate Authorities To The Honeypot -- End #####

 

 

 

The working file is available for download here.  We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it.

About Private Client Cyber Security

Former U.S. defense industry cybersecurity executives founded PCCS after struggling to convince large cybersecurity companies to address the cyber risks of public persons and small sized business. 

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

We strive to provide a personal, professional and a next-generation technology level of cyber protection to our clients. 

 

Twitter @PCCyberSecurity


RT @BrendanCarrFCC: Today, the FCC takes an unprecedented step to safeguard our networks and strengthen America’s national security. Our u…

RT @MilHistNow: On this day in 1783, the last British troops evacuate New York City. Later that day, Washington marches into the city at th…
Follow Private Client Cyber Security on Twitter

Search